VoIP Security Becomes Enterprise Focus

By Brian Prince |
Posted 07-03-2007

As the number of VOIP deployments is expected to continue to increase, IT professionals and researchers are urging enterprises not to forget about security.

Voice-over-IP security threats are viewed as more theoretical than actual. But the few cases that have come to light have been brazen and costly. For example, investigators arrested two people in 2006 for a scam in which they were accused of hacking into the networks of several unnamed companies and hijacking their VOIP bandwidth for resale.

With IP phone use growing, some security specialists are saying it is a mistake to downplay the danger and it's time to learn what the threats are as well as how to counter them.

In a report, analysts from In-Stat predicted that the number of business IP phones sold would grow from 9.9 million in 2006 to 45.8 million in 2010. Yet more than 40 percent of the enterprises it surveyed don't have any specific security plans for their VOIP deployments. When asked to rate their VOIP security knowledge, most of the 250 IT professionals surveyed ranked themselves "somewhat knowledgeable"the lowest rating the survey offered.

"There's a gap between traditional data security and VOIP security," said Bogdan Materna, chief technology officer and vice president of engineering with VOIPshield Systems, of Ottawa.

"VOIP is unique and brings with it a whole new set of challenges, which existing solutions are not able to address. IP communications are conducted in real time and there's a whole new set of protocols and applications [that] must be supported. VOIP-specific solutions blend security and telecommunications requirements, along with industry research and intelligence that just aren't available in existing data security solutions," Materna said.

"For example, a data security IPS [intrusion prevention system] may cover a dozen or so VOIP vulnerabilities," he said. "That is really the tip of the iceberg, as every protocol and application in the VOIP network should be locked down."

In many ways, dealing with VOIP security will require users to reapply old lessons about the Internet; after all, VOIP systems are vulnerable to the same failure modes as the rest of an organization's IP network. The ease with which VOIP numbers can be acquired and disposed of means people will need to accept that such numbers are about as trustworthy as e-mail, said Adam O'Donnell, director of emerging technologies at Cloudmark, a network security technology company based in San Francisco.

"Constructing layered security features for VOIP may present a challenge, as there is no easy way to layer end-to-end cryptography and authentication on top of VOIP networks, especially with the large number of desktop VOIP terminals, which are essentially thin clients with proprietary software," O'Donnell said.

Early VOIP attacks were DoS (denial-of-service) attacks launched against specific VOIP implementations, O'Donnell said. Currently, however, hackers are focused more on what can be done with VOIP to improve old attacks, such as phishing via VOIP, dubbed "vishing," and scams such as faking the calling phone number of credit collection agencies, he said.

Though evidence of massive attacks of SPIT (spam over Internet telephony) is scant, Materna said he expects spam, toll fraud and DoS attacks to increase as VOIP implementation grows.

More toll fraud could mean trouble for VOIP providers. Stealth Communications, a data communications company based in New York, estimates that VOIP thieves already steal 200 million minutes every month, at a value of $26 million.

"As losses grow there will be significant impact," said Paul Henry, vice president of Technology Evangelism at Secure Computing, based in San Jose, Calif. "Hackers are stealing minutes every day and are creating a growing underground currency in the resale of those minutes. Further, ask any provider what percentage of new accounts is using stolen credit cardseverywhere you look in the food chain there is fraud."

So, where does that leave users? While most of securing VOIP is in fact relearning old lessons, the use of IP addresses and Caller ID for authentication while operating in a connectionless UDP (User Datagram Protocol) environment prone to easy spoofing requires extra vigilance, Henry said.

He suggested, among other things, that companies fully validate protocols and applications and use a gateway device that simulates a connected protocol for UDP.

Materna stressed that securing VOIP requires unique tools that work in conjunction with data security tools. "Any organization deploying or currently using VOIP should be taking a proactive approach to VOIP security built on the idea of protecting against attacks if they do get through using VOIP-specific IPS offerings and Session Border Controllers, and then mitigating attacks if they do occur using a combination of approaches," he said.

"Any approach should include education of end users on the types of threats. We all understand what spam is, and the same care should be taken so that users understand how VOIP is being exploited and how they may be targeted," he said.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.